angr / angr-doc Goto Github PK
View Code? Open in Web Editor NEWDocumentation for the angr suite
Home Page: https://docs.angr.io/
License: BSD 2-Clause "Simplified" License
Documentation for the angr suite
Home Page: https://docs.angr.io/
License: BSD 2-Clause "Simplified" License
i'm newer,i need you help my cfg can't output graph and i don't kown how to load a *bin as a project,thanks
Hi,
When I try to run the solve.py script to debug the GRUB back 28 vulnerability, the following errors are reported:
 File "/home/vancaho/test/grub/solve_grub.py", line 78, in <module>
find_bug()
 File "/home/vancaho/test/grub/solve_grub.py", line 6, in find_bug
p = angr.Project('crypto.mod', load_options={'main_opts': {'custom_base_addr': 0x8000000}})
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/project.py", line 128, in __init__
self.loader.add_object(self._extern_obj)
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 284, in add_object
base_addr = self._get_safe_rebase_addr()
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 329, in _get_safe_rebase_addr
return self.max_addr() + (granularity - self.max_addr() % granularity)
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 399, in max_addr
return max(map(lambda x: x.get_max_addr(), self.all_objects))
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 399, in <lambda>
return max(map(lambda x: x.get_max_addr(), self.all_objects))
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/backends/__init__.py", line 276, in get_max_addr
return out + self.rebase_addr
How to solve this problem? Thanks a lot
android_arm_license_validation
It seems that in Mac OS 10.12.4, the result we get are not as expected , even in Ubuntu 16.04 on my server this result is still not as expected:
WARNING | 2017-05-03 11:41:57,782 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
ABGAAWQAEEAAAAAA
According to the author's guide as http://www.vantagepoint.sg/blog/81-solving-an-android-crackme-with-a-little-symbolic-execution
The result string should be JQAE6ACMABNAAIIA
, the worst is both ABGAAWQAEEAAAAAA
and JQAE6ACMABNAAIIA
could not pass in phone:
adb shell /data/local/tmp/validate JQAE6ACMABNAAIIA
Entering base32_decode
Outlen = 2
Entering check_license
Incorrect serial.
Does anyone have ideas that can help me with this?
Thank you
Right now there's very little documentation on how to use the NetworkX di-graph from angr. The current example in /docs/analyses/cfg.md
that suggests print "This is the graph:", cfg.graph
seems to print nothing.
Just using networkx.draw(...)
will result in a horrible graph like this.
Any suggestions on how I could dump the graph to GraphML or JSON? Using json_graph.dumps(cfg.graph)
results in TypeError("G is not a tree.")
.
When trying to run the example as is (from an up to date angr-dev docker image) the solve.py returns
"Totally not the password...@��@ �����"
When I run the yolomolo example, an error occurred as below.
/home/leizhao/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/block.py:75: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
1)
Launching exploration
ERROR | 2016-11-10 18:49:27,830 | angr.simos | Syscall 101 is not found for arch AMD64
ERROR | 2016-11-10 18:49:27,832 | angr.simos | Syscall 101 is not found for arch AMD64
Traceback (most recent call last):
File "yolomolo-solve.py", line 42, in
assert main() == "HACKCON{VVhYS04ngrY}"
File "yolomolo-solve.py", line 35, in main
final = ex.found[0].state
IndexError: list index out of range
BTW, I found a similar issue (#91). The difference is that the error message of my example didn't include the segment fault.
Hi thanks for great work!
I was reading the API documents a few minutes ago, but suddenly most of contents can't be accessible now. Can you fix it? (http://angr.io/api-doc/index.html)
Hi,
I assume x86_64 architecture and code similar to this one:
int bar(int a, int b)
{
<arithmetic operations in dependence on a and b>
if (d == 100) // d depends on a and b
return 1;
return 0;
}
My goal is to retrieve the inputs for a
and b
, stored in RDI
and RSI
such that 1 will be returned.
My code for that looks similar to
import angr
b = angr.Project(<binary>)
s = b.factory.blank_state(addr = <function start>)
pg = b.factory.path_group(s, immutable=False)
pg.explore(find=<address of return 1>)
s = pg.found[0].state
print s.se.any_int(s.regs.rdi)
print s.se.any_int(s.regs.rsi)
The returned values of RDI
and RSI
do not work, in the most cases. Therefore, should this approach work similary as described above or do I misunderstand something?
Minor change that might improve-
Arch doesn't appear to have mkvirtualenv
. Maybe express in the docs that mkvirtualenv
can be simulated as well by..
virtualenv angr
. angr/bin/activate
docs missing for Procedures in doc http://angr.io/api-doc/simuvex.html#module-simuvex.procedures
It looks like Angr has a tendency to chew up all CPU and memory resources. One one hand that's good because it's utilizing all available resources. The problem is that on two separate computers now (and separate binaries), angr has managed to completely lock up the system to the point where I have to hard reset it. There should likely be some sort of memory management ability for the program to either cancel out when it has eaten up too much memory, stop taking up more memory, etc.
i use the docker for angr( angr/angr ), it works well. now i want to update some library, can you give us the passwd for root then?
error:angr.analyses.cfg | AngrError Cannot create run following jumpkind Ijk_SigFPE_IntOvf when creating SimRun at 0x40a9dc
what should i do ? thanks
Hi Shellphish,
This issue is not really in angr, but it is related. In the page http://angr.io, your first citation has the wrong year, 2015 instead of 2016.
@Article{shoshitaishvili2016state,
title={SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis},
author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
booktitle={IEEE Symposium on Security and Privacy},
year={2015}
}
Sorry for submitting an issue only for a typo, I do it with the best intention, because I wish you tons of citations.
By the way, congratulations for this paper and the project! :)
I hope I get the chance to meet you these days in IEEE S&P.
Yoalli
Now that we have angr on Docker, we can use Travis CI to pull the latest image and test all the examples. (By itself, I think Travis CI is too slow to build angr and timeouts.)
Is there currently a script somewhere that runs all the examples, or should I write one?
Paging @zardus since we briefly spoke about this on IRC.
ERROR | 2016-04-06 23:40:03,206 | angr.analyses.cfg | Caught an AngrError during CFG recovery at 0x40b768 (.text)
raise PyVEXError(ffi.string(pvc.last_error) if pvc.last_error != ffi.NULL else "unknown error")
angr.errors.AngrTranslationError: ('Translation error', <class 'pyvex.PyVEXError'>, PyVEXError('exception in VEX (see console)',))
I can print the CFG of examples in the github ,but when i load a binnary myself(DLink's webs) ,it is error
Hey,
So this is probably a user error, but I created a binary to test my understanding of angr. Basically, all it does is ask for input, then check that against a static "P@ssword", and branch accordingly. I've been able to get angr to find the path just fine, but I can never get it to tell me that the only way to get through to that path is to use the "P@ssword".
Here's my simple script:
import angr
import simuvex
b = angr.Project("a.out")
e = b.surveyors.Explorer(find=(0x400695))
e.run()
s = e.found[0].state
s.se.any_str(s.memory.load(s.regs.rbp-0x110,16))
The C code is this (gcc test.c):
int main() {
char buf[256];
printf("Enter password: ");
gets(buf);
if (strcmp(buf,"P@ssword")) {
printf("%s is correct\n",buf);
}
else {
printf("%s is incorrect\n",buf);
}
return 0;
}
The examples are being overwhelmed with similar "start here, explore to here, print flag" writeups. These are good to have for testing, because they tend to explore different types of code, help us keep writeups working as angr evolves, and so on, but they're redundant for people trying to learn angr.
I think we need to have an "Examples Showcase" that shows unique examples, and a "Additional Examples" section that contains redundancies for CI (and curious readers). Putting this issue as a placeholder for now. Next step is building the list.
Dear all,
I took angr to symbolically execute an example in the veritesting paper,
after has run for about 1h 30m, angr outputs "killed".
What does it mean?
Thanks.
(angr)angr@c06036219af2:~/angr-dev/angr-doc/examples/hackcon2016_angry-reverser$ python solve.py
Launching exploration
ERROR | 2016-09-12 17:20:39,947 | angr.simos | Syscall 101 is not found for arch AMD64
ERROR | 2016-09-12 17:20:39,950 | angr.simos | Syscall 101 is not found for arch AMD64
Traceback (most recent call last):
File "solve.py", line 42, in <module>
assert main() == "HACKCON{VVhYS04ngrY}"
File "solve.py", line 35, in main
final = ex.found[0].state
IndexError: list index out of range
Segmentation fault (core dumped)
(angr)angr@c06036219af2:~/angr-dev/angr-doc/examples/hackcon2016_angry-reverser$ pip list
ana (0.02, /home/angr/angr-dev/ana)
angr (5.6.8.22, /home/angr/angr-dev/angr)
angr-management (4.6.6.28, /home/angr/angr-dev/angr-management)
angr-only-z3-custom (4.4.1.post4)
archinfo (5.6.8.22, /home/angr/angr-dev/archinfo)
argparse (1.2.1)
astroid (1.4.8)
atom (0.3.10)
backports.functools-lru-cache (1.2.1)
backports.shutil-get-terminal-size (1.0.0)
backports.ssl-match-hostname (3.5.0.1)
bintrees (2.0.4)
cachetools (1.1.6)
capstone (3.0.4)
cffi (1.8.2)
claripy (5.6.8.22, /home/angr/angr-dev/claripy)
cle (5.6.8.22, /home/angr/angr-dev/cle)
configparser (3.5.0)
cooldict (1.02, /home/angr/angr-dev/cooldict)
coverage (4.2)
decorator (4.0.10)
distribute (0.7.3)
dpkt-fix (1.7)
enaml (0.9.8)
enum34 (1.1.6)
future (0.15.2)
futures (3.0.5)
idalink (0.10, /home/angr/angr-dev/idalink)
ipdb (0.10.1)
ipython (5.1.0)
ipython-genutils (0.1.0)
isort (4.2.5)
kiwisolver (0.1.3)
lazy-object-proxy (1.2.2)
mccabe (0.5.2)
monkeyhex (1.1, /home/angr/angr-dev/monkeyhex)
mulpyplexer (0.07, /home/angr/angr-dev/mulpyplexer)
networkx (1.11)
nose (1.3.7)
nose-timer (0.6.0)
pathlib2 (2.1.0)
pefile (2016.3.28)
pexpect (4.2.1)
pickleshare (0.7.4)
pip (1.5.4)
plumbum (1.6.2)
ply (3.9)
progressbar (2.3)
prompt-toolkit (1.0.7)
ptyprocess (0.5.1)
pycparser (2.14)
pyelftools (0.24)
Pygments (2.1.3)
pylint (1.6.4)
pyvex (5.6.8.22, /home/angr/angr-dev/pyvex)
rpyc (3.3.0)
setuptools (27.1.2)
simplegeneric (0.8.1)
simuvex (5.6.8.22, /home/angr/angr-dev/simuvex)
six (1.10.0)
superstruct (1.0, /home/angr/angr-dev/superstruct)
termcolor (1.1.0)
traitlets (4.3.0)
unicorn (1.0)
wcwidth (0.1.7)
websocket-client (0.37.0)
wrapt (1.10.8)
wsgiref (0.1.2)
api-doc/source/*.rst
Would be good to add one or two practical examples of using angr.analyses.backward_slice.BackwardSlice
; at the moment there's only backward_slice.md
(which is nicely written, but doesn't show a "real-world"/CTF situation).
I'll probably end up doing this in a few weeks, but figured I should put this up anyway in case somebody already has an example.
This might sound obvious, but there is no real section where each kind of path is at least defined. What is a ${type} path ? In which case is it useful ?
It can be interesting to clearly have an explanation on that, to avoid looking for example only at found
path when your answer is in a deadended
one.
I would have taken care of it myself if I wasn't one of the people that don't know what these types are :)
Hi, when trying to execute the insomnihack example am getting this error:
(angr)symeon@ubuntu:~/angr/angr-dev/angr-doc/examples/insomnihack_aeg$ python simple_aeg.py demo_bin
Warning: FastBinaryTree not available, using Python version BinaryTree.
Warning: FastAVLTree not available, using Python version AVLTree.
Warning: FastRBTree not available, using Python version RBTree.
INFO | 2016-04-16 13:44:03,850 | insomnihack.simple_aeg | looking for vulnerability in 'demo_bin'
INFO | 2016-04-16 13:44:20,116 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO | 2016-04-16 13:45:23,301 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO | 2016-04-16 13:45:25,248 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found a path which looks exploitable
INFO | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | attempting to create exploit based off path
INFO | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found symbolic buffer at 0xc0000c20
INFO | 2016-04-16 13:45:25,260 | insomnihack.simple_aeg | found buffer for shellcode, completing exploit
INFO | 2016-04-16 13:45:25,261 | insomnihack.simple_aeg | pointing pc towards shellcode buffer
Traceback (most recent call last):
File "simple_aeg.py", line 116, in <module>
sys.exit(main(sys.argv[1]))
File "simple_aeg.py", line 108, in main
f.write(ep.state.posix.dumps(0))
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/posix.py", line 372, in dumps
return self.state.se.any_str(self.get_file(fd).all_bytes())
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 297, in any_str
ans = self.any_n_str(e, 1, extra_constraints=extra_constraints)
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 306, in any_n_str
return list(self.any_n_str_iter(e, n, extra_constraints=extra_constraints, exact=exact))
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 302, in any_n_str_iter
for s in self.eval(e, n, extra_constraints=extra_constraints, exact=exact):
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 73, in autoed_f
return ast_stripping_op(f, self, *args, **kwargs)
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 43, in ast_stripping_op
r = _actual_ast_stripping_op(f, *args, **kwargs)
File "/home/symeon/angr/angr-dev/simuvex/simuvex/s_action_object.py", line 36, in ast_stripping_op
return f(*new_args, **new_kwargs)
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 80, in wrapped_f
return f(self, *args, **kwargs)
File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 244, in eval
return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/caching_frontend.py", line 344, in eval
self._eval(e, n_lacking, extra_constraints=solver_extra_constraints, exact=exact, cache=cache)
File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 89, in _eval
raise UnsatError('unsat')
simuvex.s_errors.SimUnsatError: ('Got an unsat result', <class 'claripy.errors.UnsatError'>, UnsatError('unsat',))
Am I missing something? Does it work for you? Thanks.
Dear all,
I want to make the generated input be similar with the given input as much as possible.
To implement it, what I thought is to remove the replacements of input preconstraints one by one, and then to ask the solver SolverReplacement to solve repeatedly.
Is there an API function that can be used to re-solve the constraints when the constraints or pre-constraints are changed?
Thank you very much.
Hi, I just searched for an explanation of the graphical output from DDG and DFG but I didn't find any.
So here are my questions to the DDG and DFG png output files:
Maybe you can add a legend for the graphical representation to the documentation.
Best regards :-)
From Data Dependency Graph analysis, there are no documentation provided. It would be great if you can provide some documentation on analysis and implementation for that analysis.
Hi Guys,
I am pretty new to angr. I think it's really cool. I wrote some basic code for testing a shellcode. The source is as follows:
import angr
bp = 0x401010
def check(path):
if path.state.ip.args[0] == bp:
return True
else:
return False
b = angr.Project('shellcode.exe')
state = b.factory.entry_state()
pg = b.factory.path_group(state)
pg.explore(find=check)
found = pg.found[0]
print len(pg.found)
The shellocode disassembly looks like this:
.text:00401000 start proc near
.text:00401000 jmp short loc_401012
.text:00401000 start endp
.text:00401000
.text:00401002
.text:00401002 ; =============== S U B R O U T I N E =======================================
.text:00401002
.text:00401002 ; Attributes: noreturn
.text:00401002
.text:00401002 sub_401002 proc near ; CODE XREF: sub_401002:loc_401012�p
.text:00401002 pop ebx
.text:00401003 dec ebx
.text:00401004 xor ecx, ecx
.text:00401006 mov cx, 296h
.text:0040100A
.text:0040100A loc_40100A: ; CODE XREF: sub_401002+C�j
.text:0040100A xor byte ptr [ebx+ecx], 9Ch
.text:0040100E loop loc_40100A
.text:00401010 jmp short loc_401017
.text:00401012 ; ---------------------------------------------------------------------------
.text:00401012
.text:00401012 loc_401012: ; CODE XREF: start�j
.text:00401012 call sub_401002
.text:00401017 ; ---------------------------------------------------------------------------
.text:00401017
.text:00401017 loc_401017: ; CODE XREF: sub_401002+E�j
.text:00401017 pop ds
.text:00401018 js short loc_401086
.text:0040101A lodsd
.text:0040101B push ebp
.text:0040101C
.text:0040101C loc_40101C: ; CODE XREF: sub_401002+5B�j
The shellcode XORs the obfuscated block of code starting at 0x401017. My test angr script should be able to stop right before jumping into the deobfuscated code at 0x401010, which allows me to inspect deobfuscated code. But instead I've got the following error paths.
>> pg.errored
[<Errored Path with 667 runs (at 0x4010f8, AngrExitError)>, <Errored Path with 667 runs (at 0x401098, AngrExitError)>]
Since there are only a couple of direct jumps till the 0x401010, angr shouldn't attempt to parse the obfuscated block (that contains gibberish-looking code before deobfuscation). But it appears that's what angr is doing there. I might be wrong. See more error details below.
>> pg.errored[0].error
AngrExitError('IR decoding error at 0x4010f8. You can hook this instruction with a python replacement using project.hook(0x4010f8, your_function, length=length_of_instruction).',)
>> pg.errored[1].error
AngrExitError('Cannot create run following jumpkind Ijk_SigTRAP',)
Please find the shellcode in the zip (pw: infected). Any comment will be greatly appreciated.
In [10]: claripy.BVV(0x00000001, 32).reversed
Out[10]: <BV32 0x1000000>
I'd have expected <BV32 0x80000000>
, reversing the order of bits in a word.
The documentation says that the Reverse
operation "Reverses a bit expression."
I understand why the operation does what it does, reverse by byte for an endian flip, but the naming and documentation could use improvement. When I first saw it as output in a symbolic expression I was really confused, "why would this code flip all the bits around".
After : b = angr.Project('/bin/true', load_options={'auto_load_libs': False})
cfg = b.analyses.CFGAccurate(keep_state=True)
ddg = b.analyses.DDG(cfg)
ddg.data_graph.nodes()[0] # It outputs A: <<Reg 144 8> @ <0x401646 0x401646(11)>>
ddg.graph.nodes()[0] # It outputs B: <0x403664 0x403645(44)>
Whats a interpretation of A and B, what each element stands for. Thanks in advance.
function_manager
no longer exists, so the example doesn't work. angr/angr#195
Reported in https://lists.cs.ucsb.edu/pipermail/angr/2017-January/000278.html
Hi,
I found that angr is able to detect type through static analysis ( full-program static analysis (i.e., type inference, program slicing)). Could you please give an example that how anrg can be use for type inference?
Thank you for your support and time.
Might be pefile related.
Right now there's no examples of using gdb with angr. If you happen to have one you can share, please do. =)
After this spate of deadlines, we really need to update docs for path groups, exploration techniques, etc. The existing stuff is really out of date.
Traceback (most recent call last):
File "backward_slice.py", line 10, in
from ..annocfg import AnnotatedCFG
ValueError: Attempted relative import in non-packag
but my files has the annocfg.py,why?
OS Ubuntu 16.04 LTS amd64 dist-upgraded to current.
while trying a verifiation run on the install, Angr appears to get most of the flags in the cmu_binary_bomb example, but blows a lot of error messages regarding simuvex analyzing a statement (10)...
python version is 2.7.12
installed via pip install angr
attached is the output from the run showign the error message.
there is something wrong with "Defcamp CTF Qualification 2015 - Reversing 200" sample code.
after update to latest version, it through an error like this
ERROR | 2016-01-13 21:48:23,492 | angr.analyses.cfg | SimError:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/cfg.py", line 776, in _get_simrun
sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 114, in sim_run
r = sim_proc_class(state, addr=addr, sim_kwargs=kwargs)
File "/usr/local/lib/python2.7/dist-packages/simuvex/s_procedure.py", line 227, in new
raise SimProcedureError("Tried to run simproc continuation with empty stack")
SimProcedureError: Tried to run simproc continuation with empty stack
Seems that the script in its current form is broken. I am simply trying to execute the example and it fails to find a solution.
Traceback (most recent call last):
File "./poc.py", line 57, in
print(repr(main()))
File "./poc.py", line 47, in main
found = path_group.found[0] # In our case, there's only one printable solution.
IndexError: list index out of range
Hello!
I'm trying to solve phase 6 with angr but I get a lot of warnings like the following and angr actually never finishes the execution.
WARNING | 2016-12-21 23:09:53,895 | simuvex.vex.irsb | <SimIRSB 0x401176> hit an error while analyzing statement 3
SimMemoryAddressError: Unable to concretize address for load with the provided strategies.
What am I doing wrong?
This is the script I've done (still a WIP so some constraints are missing).
import angr, logging, claripy, simuvex
from IPython import embed
class custom_hook(simuvex.SimProcedure):
def run(self, addr):
for i in range(6):
bvs = claripy.BVS("int{}".format(i), 8*4*6, explicit_name=True)
self.state.add_constraints(bvs.get_bytes(0, 4) >= 1, bvs.get_bytes(0,4) <= 6)
self.state.memory.store(bvs, addr+i*4, endness=self.state.arch.memory_endness)
return addr
def solve_flag_6():
start = 0x4010f4
read_num = 0x40145c
find = 0x4011f7
avoid = (0x4011e9, 0x401140, 0x401123,)
p = angr.Project("./bomb", load_options={'auto_load_libs':False})
p.hook(read_num, custom_hook)
state = p.factory.blank_state(addr=0x4010f4)
pg = p.factory.path_group(state, threads=4)
pg.explore(find=find, avoid=avoid)
print(pg)
return 0
def main():
print("Flag 6:" + str(solve_flag_6()))
if __name__ == '__main__':
logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
main()
Thanks guys!
The link in the readme to orgy.md is broken. Is the orgy component even in the repo?
If not, how would you suggest to do distributed analysis with angr?
The link to distributed analysis can not be used any more. How to do such analysis?
I downloaded the angr docker image but none of the examples under angr-doc work. It's more like they can't find any solutions.
(angr)angr@096d8358f98d:~/angr-dev/angr-doc/examples/securityfest_fairlight$ python solve.py
WARNING | 2016-09-26 10:14:40,092 | cle.relocations | Unknown reloc 6 on AMD64
WARNING | 2016-09-26 10:14:40,092 | cle.relocations | Unknown reloc 7 on AMD64
Traceback (most recent call last):
File "solve.py", line 33, in <module>
main()
File "solve.py", line 24, in main
found = path_group.found[0]
IndexError: list index out of range
I run it on a Mac OS X sierra.
As @zardus mentioned in #66, it might be fun to write an angr class/course that helps new users progress from basic to complex reverse/crackmes. It would be similar to examples.md
, but with the binaries and scripts explained in more detail.
My question is, where do you guys want to put this? In angr-doc? In a new repo?
I wrote a simple ReverseMe progam just like the example of Baby-re.
Beside, I wrote a similar script just like that of the Baby-re.
However, the script hangs in my platform (ubuntu-16.04), whereas it works well in another platform of Mac.
So, does Angr depend on some particular features of architectures?
With pg.explore(find = find), I can generate the target path as pg.found[0].
If I want to get the exercised path objects of pg.found[0], how could I do?
I know the addresses of execrised blocks can be accessed by path.addr_trace[], for path objects, how to access them?
Thanks.
The documentation on loading gives me the impression that the base address for a binary will be detected and everything will be updated accordingly. This isn't happening in the following example from the DEFCON qualifiers:
angr (CLE loader of course), is telling me the following:
hex(b.loader.main_bin.get_min_addr())
'0x400000'hex(b.loader.main_bin.entry)
'0x400a60'
However, readelf is telling me:
$ readelf -l pr0dk3y | grep -i load
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
LOAD 0x0000000000002de0 0x0000000000202de0 0x0000000000202de0
$ readelf -h pr0dk3y | grep Entry
Entry point address: 0xa60
Is this expected behavior? If so, perhaps there should be some way to warn the user that angr is at a different base address than anything else that runs it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.